I want to use twitter REST API on pure web app. For the authenticate I could use firebase to get both accessToken and secretToken. And that work fine without creating my own server
But all other API need to have oauth_signature. And I just don’t want to create proxy server. Instead I could calculate it on client
So I would like to know is it break any policy or make a very huge risk of security?
What I know is if I expose consumer secret, some user might use my secret to call REST API directly when they got secrete access token. But then it just the same level as facebook so I think that’s fine